JP2018533793A - System and method for detecting Domain Generation Algorithm (DGA) malware - Google Patents

Abstract

Accelerated (future) real-time designed to intercept external time requests sent by potential DGA malware hosts, and receive real-time to trigger time-dependent DGA activity By replacing with, malware of domain generation algorithm (DGA) is detected. Different physical systems or virtual systems, such as separate external physical servers or routers, or separate hypervisors or virtual machines running on the same physical system, to reduce the risk of DGA malware identifying a time replacement Interception and substitution are performed outside the above physical or virtual DGA host. Second, using failed DGA malware external access requests triggered only at a future time, identify domain names generated by DGA malware and allow proactive countermeasures.

Description

  [1] The present invention relates to systems and methods for protecting computer systems from malware, and in particular to systems and methods for detecting malware using domain generation algorithms (DGA).

  [2] Malicious software, also known as malware, affects numerous computer systems around the world. Malware poses serious risks to millions of computer users in many forms, including computer viruses, worms, rootkits, and spyware, among which the loss of data and sensitive information, identity theft, and production. Make computer systems vulnerable to loss of sex.

  [3] Security software is used to detect malware that infects a user's computer system, and may additionally be used to remove such malware or stop its execution. Several malware detection techniques are known in the art. Some of such techniques rely on matching pieces of malware agent code to a library of signatures that suggest malware. Other conventional methods detect a set of behaviors that indicate malware agent malware.

  [4] Malicious botnets form particularly harmful types of malware threats. In one attack scenario, a large number of computers are configured to cause an agent configured to connect to a remote resource and download malicious payload or other information, such as a target indicator for initiating a denial of service attack. The system is infected. The agent may be configured to generate a domain name using a domain generation algorithm (DGA) and attempt to connect to that domain name. Such domain names are usually not pre-registered in the domain name registry, so most connection attempts fail. When malware creators decide to launch an attack, they register one of these domain names in the domain name registry and bring the payload online. Suddenly, attempts by botnet members to connect to individual domains are successful and an attack is launched.

  [5] Because domain name generation is performed using an unknown algorithm, preventing such attacks can be difficult. Security applications may encounter sporadic failure attempts to connect to several domain names, but such attempts are usually due to a large number of legal failures to connect to external sites. Covered in an attempt.

  [6] The investigators have a complex and tedious task in identifying infected agents and reverse analyzing domain generation algorithms. Such algorithms use various methods, one of which is to use the current time as input to the pseudorandom number generation algorithm. In the traditional detection approach, the investigator has to disassemble the code to determine the DGA and domain name created.

  [7] According to one aspect, a computer system comprising at least one memory and at least one associated microprocessor is the step of intercepting an original answer to a first external access request, the first step comprising: The external access request is sent by the potential domain generation algorithm (DGA) malware host to the external site, at least one of the steps, the first external access request and the original answer to the first external access request The steps of analyzing to determine if the original response to the first external access request includes real time, and sending the modified response to the potential DGA malware host, the modified response being , Original real time included in the original answer In response to the step and the second external access request being sent by the potential DGA malware host, generated from the original answer by replacing it with the original real time followed by the accelerated real time Intercepting a response indicating that the second access request was not successful, the second external access request being sent after the first external access request has been sent, and Determining that the potential DGA malware host includes malware that is to execute the domain generation algorithm in response to intercepting the response indicating that the access request for the request was not successful. Configured to run outside of the malware host.

  [8] According to one aspect, a computer system including at least one memory and at least one associated microprocessor analyzes a first external access request to provide a true answer to the first external access request Determining whether the first external access request is sent by the potential domain generation algorithm (DGA) malware host to the external site, the step of Analyzing the first true response to the external access request of the second to determine if the first true response includes first information indicating that the advanced real time is not accurate; Sending the finalized answer to the potential DGA malware host, the corrected answer is The second step is generated from the first original answer by replacing the second information with the second information indicating that the advanced real time is accurate, and the second by the potential DGA malware host. Intercepting a second true answer indicating that the second access request was not successful in response to the second external access request being sent to the external site, and intercepting the second answer In response, the step of determining that the potential DGA malware host includes the malware that executes the domain generation algorithm is configured to perform outside the potential DGA malware host.

  [9] According to another aspect, the non-transitory computer readable medium, when executed, intercepts the original answer to the first external access request, wherein the first external access request is a latent Analyzing at least one of the steps sent by the dynamic domain generation algorithm (DGA) malware host to the external site, the first external access request and the original answer to the first external access request, Determining whether the original response to the external access request of the includes an actual time, and sending the corrected response to the potential DGA malware host, wherein the corrected response is included in the original response By replacing the original real time with the actual real time followed by the accelerated real time Intercept the response indicating that the second access request was not successful, in response to the step and the second external access request being sent by the potential DGA malware host, generated from the response of A step, wherein the second external access request is sent after the first external access request has been sent, in response to intercepting the step and a response indicating that the second access request was not successful. And determining that the potential DGA malware host includes malware that executes the domain generation algorithm, at least one of the first computer system to perform outside the potential DGA malware host. Memory and at least one associated my B instruction stores that make up the processor.

  The foregoing aspects and advantages of the present invention will become better understood upon reading the following detailed description and referring to the drawings.

[11] FIG. 12 illustrates an exemplary client system, a server system hosting an external site, and a time server, all interconnected by a network, according to some embodiments of the present invention. FIG. 12 illustrates an exemplary hardware configuration of a client system that may be a potential DGA malware host, according to some embodiments of the present invention. [13] FIG. 13 illustrates an exemplary hardware configuration of a server computer system or network switch / router that may host a DGA detector, in accordance with some embodiments of the present invention. [14] Includes a process running on a potential DGA malware host formed by a virtual machine, and a DGA detector hosted by the same physical system as the potential DGA malware host, according to some embodiments of the present invention FIG. 10 illustrates an exemplary set of software objects. [15] A software object, including a process running on a potential DGA malware host, and a DGA detector hosted on a physical system separate from the potential malware host, according to some embodiments of the present invention FIG. 7 illustrates an exemplary set. [16] FIG. 16 illustrates an exemplary external access request and / or answer according to some embodiments of the present invention. [17] FIG. 10 illustrates an exemplary series of steps performed by the DGA detector when analyzing external access requests to a time server, according to some embodiments of the present invention. [18] FIG. 10 illustrates an exemplary sequence of steps performed by the DGA detector when intercepting the original response to an external access request, according to some embodiments of the present invention. [19] FIG. 9 illustrates an exemplary series of steps performed by a DGA detector when detecting whether a process performs DGA, according to some embodiments of the present invention. [20] FIG. 10 illustrates an exemplary series of steps performed by a DGA detector when analyzing an external access request that includes advanced real time, according to some embodiments of the present invention. [21] FIG. 10 illustrates multiple mathematical relationships between true and advanced real time according to some embodiments of the present invention. [22] FIG. 10 illustrates a series of steps of a method that may be used to determine whether a suspect process performs DGA, according to some embodiments of the present invention.

  [23] In the following description, it is understood that all enumerated connections between structures may be direct operational connections or indirect operational connections through intermediate structures. The set of elements includes one or more elements. Any listing of elements is understood to refer to at least one element. The plurality of elements include at least two elements. Unless otherwise required, any described method steps do not necessarily have to be performed in the particular order shown. Unless otherwise specified, a process is an instance of a computer program, such as an application or part of an operating system, characterized by having at least a thread of execution and a section of virtual memory allocated to the thread of execution by the operating system. , Individual memory sections contain executable code. A blacklist is a list of objects that are blocked from performing a set of actions. Determining or determining in accordance with the parameters includes determining or determining in accordance with the parameters, and optionally in accordance with other data. Computer readable media include non-transitory media such as magnetic, optical and semiconductor storage media (eg, hard drives, optical disks, flash memory, DRAM), and communication links such as conductive cable links and fiber optic links. Do. The time server is responsive to the access request received by the time server to provide real time in the answer and / or responsive to the access request including the real time, the actual time included in the access request being accurate It is an external server that provides an answer indicating whether it is. The time server may or may not be a server dedicated to providing real time values. A dedicated time server is dedicated to providing real-time values in response to queries. Non-dedicated time servers include other content such as text and images (eg, pages of a weather server that provide information about the current weather for a particular location in addition to the current real time for a particular location) Real-time values may be provided as part of a larger content page. According to some embodiments, the present invention relates, inter alia, to hardware programmed to perform the methods described herein (eg, one formed on one or more semiconductor substrates). Or a computer system including a plurality of processors), as well as a computer readable medium encoding instructions for performing the methods described herein.

[24] The following description illustrates embodiments of the present invention by way of example, but not necessarily by way of limitation.
[25] FIG. 1 shows an exemplary DGA host client computer system 10 connected to a DGA detection computer system 11, which includes a DGA target server computer system 14 and a time server computer system 15. It is further connected through the communication network 12. The client system 10 hosts an end user computer system such as a desktop, laptop, tablet or smartphone, or a personal digital assistant (PDA), or a wearable computing device, or a home device such as a TV or music player, or malware It may be any other electronic device that may do. The client system 10 has at least one hardware processor, memory, and storage, and is Windows (registered trademark), MacOS (registered trademark), Linux (registered trademark), Android (registered trademark), or iOS (registered trademark) Run an operating system such as: In some embodiments, client system 10 may be configured to run a hypervisor and one or more virtual machines. The network 12 may be a wide area network, such as the Internet, but a portion of the network 12 may include a local area network (LAN).

  [26] Some processes running on client system 10 may be malicious. In particular, some processes may potentially perform DGA. In some cases, the malware may be hosted by a virtual machine running on client system 10. The DGA detection system 11 is tasked to determine if the process running on the virtual machine performs the DGA. In some embodiments, the DGA detection system 11 includes a computer server, through which the client system 10 accesses the Internet. In some embodiments, at least a portion of DGA detection system 11 is implemented using a router or switch configured with software / hardware that implements at least some of the DGA detection functions described below. Good. In some embodiments using virtualization, the DGA detection system as described below is on the client system 10 but outside the virtual machine that forms the potential DGA host running on the client system 10 It may be implemented. In such a virtualization embodiment, the DGA detection system may run on a system hypervisor and / or on a different virtual machine than the potential DGA host being monitored.

  [27] In some embodiments, the security application runs on a server that forms at least a part of the DGA detection system 11. The security application is configured to perform a number of DGA detection steps by analyzing one or more processes running on the client system 10. Such analysis may include analyzing and intercepting external access requests from client system 10 and responses to client system 10. In an exemplary embodiment, such a security application is configured to determine whether one or more processes running on client system 10 execute a DGA. When DGA malware is detected, the security application further identifies the set of domain names generated by DGA and blacklists the set of domain names. The blacklisted domain name can be sent to multiple instances of security applications running on multiple client and / or server computers as part of a software update to facilitate protecting such systems. is there. The identified domain names may be registered to allow identification and potentially disabling of other infected systems.

  [28] The client 10 may communicate the access request to an external site hosted by the computer system 14. External sites may be characterized by a domain name generated by a domain generation algorithm. The domain name may be formed by an esoteric series of alphanumeric characters (eg, adfjhaadew 34.com or gsriptoi 4534pfh. Io). Such domain names may not have been previously registered by a domain name registrar, and thus are likely to be available for registration by a domain name registrar in the future. If the access request arrives at a site hosted by computer system 14, the access request is successful. If the access request does not reach the site hosted by computer system 14 for any reason, the access request is unsuccessful. The reason for this is that such sites do not yet exist, are not currently enabled, or the domain name characterizing the site is not recognized as a valid domain by the Domain Name System (DNS), There is a possibility that the communication transmitted to this site is not routed to this site. If the access request is successful, the site hosted by computer system 14 sends an answer back to client system 10. If the access request is not successful, then the components of the network 12 send back to the client system 10 a response indicating that the access request was not successful.

  [29] The client system 10 also communicates one or more access requests to the time server 15. The time server 15 responds to such an access request with a response including the real time. In response to the access request requesting confirmation of the included real time, the time server 15 may respond with data indicating whether the real time included in the access request is accurate.

  [30] Figure 2-A shows an exemplary hardware configuration of client system 10, according to some embodiments of the present invention. FIG. 2A shows the particular structure of the computer system for illustrative purposes, and other client systems may have different structures. In some embodiments, system 10 includes a set of physical devices including processor 32, memory unit 34, set of input devices 36, set of output devices 38, set of storage devices 40, and set of network adapters 42. , All connected by a set of buses 44.

  [31] In some embodiments, processor 32 is a physical device (eg, formed on a semiconductor substrate) configured to perform computational and / or logical operations on a set of signals and / or data. Multi-core integrated circuits). In some embodiments, such logical operations are delivered to processor 32 in the form of a series of processor instructions (eg, machine language or other type of software). Memory unit 34 may include a non-transitory computer readable medium (eg, RAM) that stores data / signals accessed or generated by processor 32 in the course of executing instructions. The input device 36 includes individual hardware interfaces and / or adapters that allow the user to enter data and / or instructions into the client system 10, and may include, among others, a computer keyboard, a mouse, and a microphone. The output device 38 may include, inter alia, display screens and speakers, and a hardware interface / adapter such as a graphics card that allows the client system 10 to communicate data to the user. In some embodiments, input device 36 and output device 38 may share common hardware, as in the case of a touch screen device. Storage device 40 includes a computer readable medium that enables non-transitory storage, reading, and writing of software instructions and / or data. Exemplary storage devices 40 include magnetic disk and optical disk and flash memory devices, and removable media such as CD and / or DVD disks and drives. The set of network adapters 42 enables the client system 10 to connect to a computer network, such as the network 12 and / or other devices / computer systems. The bus 44 collectively represents a plurality of system buses, a peripheral bus, and a chipset bus, and / or all other circuit devices that allow the devices 32 to 42 of the client system 10 to communicate with each other. . For example, bus 44 may include, among other things, a north bridge connecting processor 32 to memory 34 and / or a south bridge connecting processor 32 to devices 36-42.

  [32] FIG. 2-B shows an exemplary hardware configuration of a server, such as a server used to implement DGA detection system 11 (FIG. 1). Such servers include a server processor 132, a server memory 134, a set of server storage devices 140, and a set of network adapters 142, all connected by a set of buses 144. The operation of devices 132, 134, 140, and 142 may be identical to the operation of devices 32, 34, 40, and 42 described above. For example, server processor 132 may include physical devices configured to perform computational and / or logical operations on sets of signals and / or data. Server memory 134 may include a non-transitory computer readable medium (eg, RAM) that stores data / signals accessed or generated by processor 132 in the course of performing operations. Network adapter 142 allows the server to connect to a computer network, such as network 12.

  [33] FIG. 3A illustrates an exemplary data exchange between a potential DGA malware host formed by virtual machine 710 and DGA detector 704 external to virtual machine 710. In the illustrated configuration, DGA detector 704 and virtual machine 710 run on a common physical computer system 711. In particular, in the configuration shown in FIG. 3A, DGA detector 704 is an application that runs on and / or forms part of hypervisor 705. The virtual machine 710 sends an access request to the external site 714 and receives a response from the external site 714. Process 701, a set of processes 742 run in parallel on virtual machine 710. The DGA detector 704 analyzes the external access request 702 sent by the example process 701. DGA detector 704 also intercepts and analyzes the original response 715 to request 702. The original answer 715 is then corrected by the DGA detector 704 into a corrected answer 703. In analyzing request 702 and true answer 715, DGA detector 704 may query time server database 712. In FIG. 3A, a timeline database 712 is shown hosted on computer system 711. In some embodiments, time server database 712 may be external to computer system 711. When a process determines that it performs DGA, DGA detector 704 instructs security application 54 to blacklist the process.

  [34] FIG. 3B shows a potential DGA malware host running on computer system 711 'and a DGA detector 704' running on computer system 713 separate from system 711 'according to some embodiments of the present invention. 8 illustrates an exemplary data exchange between Computer system 711 'may be a client computer system. Computer system 713 may be a router, switch, or server computer. Process 701 ', a set of processes 742', run in parallel on computer system 711 '. The DGA detector 704 analyzes the external access request 702 sent by the process 701 to the external site 714. DGA detector 704 also intercepts and analyzes received response 715 for request 702. The original answer 715 may be corrected to a corrected answer 703. In analyzing the request 702 and the true answer 715, the DGA detector may query the time server database 712. Once the process determines that DGA is to be performed, DGA detector 704 determines one or more domain names generated by DGA and instructs security application 54 to add the DGA domain to the blacklist. . In some embodiments, security application 54 blacklists DGA-infected processes running on host 711 and identifies one or more of the identified malware for transmission to other computer systems. Features (eg, hash) may be generated.

  [35] FIG. 4 shows an exemplary set of fields 401a-401d that form part of the external access request 702. The original or modified response to the external access request 702 may include a similar set of fields. In some embodiments, DGA detector 704 (FIG. 3A) identifies fields that contain real-time information by parsing external access request 702 and / or answers to external access request 702. The DGA detector 704 may also parse external access requests 702 to dedicated or non-dedicated time server addresses. The analysis may be performed using a set of regular expressions described below, which use formal rules to describe / identify patterns in the input data. For example, the date may be any sequence of months and days before and after the month and day (for example, numbers 1 to 12 and 1 to 31, respectively) (for example, four digits beginning with 19 or 20) It may be identified by searching for numbers) and may be separated by one of several defined separators (eg, spaces, commas, etc.). As another example, real time may be identified by two or three numbers suppressed to be 24, 60 and 60 respectively, and some defined separators (eg, Space,:, may be separated by one of the other). The address of the time server may be some prefix (eg http, https, ftp, or a network time protocol, ie a protocol identifier such as ntp), and the domain name or internet protocol present in a database or other list of domain name servers It may be identified by the presence of one of the (IP) addresses.

  [36] The appropriate regular expression syntax and specific design may depend on the particular software language and standard library chosen to implement the DGA detector 704 analysis engine. The IEEE POSIX standard provides appropriate syntax for regular expressions. In addition, standard libraries for working with regular expressions are available in a variety of languages, including Perl, Java, Python, C ++, etc.

[37] For example, consider the set of regular expressions used by the IEEE POSIX standard, using the following syntax:
() = Define a group.
[0-9] is an arbitrary number character of 0-9.
It is a character of any character of [az] = az.
{N} = preceding groups may be repeated exactly n times, where n is a natural number.
{, N} = preceding groups may only be repeated n times, where n is a natural number.
{N,} = preceding groups may be repeated at least n times, where n is a natural number.
{M, n} = preceding groups may be repeated between m and n times, where m and n are natural numbers.
{M, n, p} = preceding groups may be repeated m times, n times or p times, where m, n and p are natural numbers.
$ = End of the text to be analyzed

  [38] Using the above syntax, the regular expression “^ (19 | 20) \ d \ d [− /.] (0 [1-9] | 1 [012]) [− /.] (0 [1 −9] | [12] [0-9] | 3 [01]) $ ”is from yyyy-mm-dd from between 1900-01-01 and 2099-12-31 with four separator options. Match dates in the format The four separators are "-", "", "/", and ".". Also, as an example, the regular expression "^ (ht | f) tp (s?) \: \ / \ / [0-9a-zA-Z] ([-. \ W] * [0-9a-zA-Z ]) * (: (0-9) *) * (\ /?) ([A-zA-Z0-9 \-\. \? \, \ '\\\\ + &% \ $ # _] *)? $ "Matches the address of the website address of the URL.

  [39] FIG. 5A illustrates an exemplary series of steps performed by the DGA detector 704 (FIGS. 3A-3B) analyzing external access requests to a time server, according to some embodiments of the present invention. . In step 501, the DGA detector 704 analyzes all external access requests. The DGA detector 704 further intercepts the original answer to the external access request (step 502), and analyzes the original answer (step 503). At step 504, the DGA detector 704 determines whether the expected response includes real time. As mentioned above, the illustrated steps need not be performed in the particular order shown, for example, in some embodiments, step 504 is performed prior to step 502 and / or step 503. You may The determination at step 504 is a time server dedicated or non-dedicated for the access request by comparing the address targeted by the access request to one or more lists of time servers including dedicated and non-dedicated time servers. It may be done by determining whether it contains the address of. The dedicated time server, by Network Time Foundation, is the site of its Network Time Protocol, ie www. ntp. It may be identified via a predefined list, such as a predefined list made available at org. A dedicated time server may be identified through the presence of a Network Time Protocol (ntp) identifier in the request. Non-dedicated time servers search popular sites (eg, www.yahoo.com) and special-use sites (eg, www.weather.com) and select sites that return real time, according to the search results , May be identified by generating a list of non-dedicated time servers. In step 504, to determine if there is a match between the URL address found by parsing and the list of URL addresses from time server database 712, DGA detector 704 detects the time server The database 712 may be queried.

  [40] If the DGA detector 704 determines that the external access request does not include the time server address, then the DGA detector 704 detects in step 507 whether the process performs DGA. Step 507 is described in detail below. If the DGA detector 704 determines that the external access request contains the address of the time server, then the DGA 704 detector replaces the original real time with the advanced real time, as described below. To correct the intercepted original response (step 505). Next, the DGA detector 704 sends the modified answer to the process that sent the access request analyzed in step 501 (step 506).

  [41] FIG. 5B is an exemplary set of examples performed by DGA detector 704 (FIGS. 3A-3B) to analyze the original answer to the external access request, according to some embodiments of the present invention. Indicates a step. In step 502, DGA detector 704 intercepts the original answer to the external access request. At step 503, the DGA detector 704 analyzes the original answer as described above. At step 507, the DGA detector 704 determines whether the process performs DGA.

  [42] At step 524, the DGA detector 704 further determines whether the original answer contains a real time field. The determination performed at step 524 may include retrieving one or more real time values embedded in the text field and / or the image field. Searching for text fields and / or image fields can be accomplished using methods known in the art. In some embodiments, searching for text fields may include editing the object that contains the fields using a specialized application (eg, a text editor for text files). Step 524 may include matching the regular expression by date to the results of the analysis. Next, as discussed below, the DGA detector 704 corrects the intercepted answer by replacing the real time with the advanced real time (step 505). Next, the DGA detector 704 sends the modified answer to the process that sent the analyzed access request (step 506).

  [43] FIG. 5C illustrates an example within step 507 (FIGS. 5A-5B) performed by DGA detector 704 (FIGS. 3A-3B) when determining whether the process performs DGA. Shows a series of steps. At step 527, the DGA detector 704 determines if the original response to the access request is a success. If the original answer is not successful, DGA detector 704 determines whether the process running on the computer system performs DGA (step 528). The determination at step 528 may be performed using methods known in the art. Details from step 528 for DGA detection are presented below. If the process performs DGA, then the domain name generated by DGA is determined (step 529). The domain name identified in step 529 is added to the blacklist from the security application in step 531. The blacklist may be used to update the plurality of client systems 10 in time, and the plurality of client systems 10 may become protected from DGA malware. The security application may be further configured to register the domain name from step 509 in the designated registrar's database of domain names. Timely registration of domain names can prevent malware creators from propagating and / or activating botnet malware using domain names. The security application may be further configured to identify a set of computer systems that send access requests to registered domain names. The identified set of computer systems may include botnet members. Early identification can limit botnet malware propagation.

  [44] Malware may determine real time through various methods, for example, by querying an operating system running on a computer system. The security application may change the real time indicated by the operating system by indicating the advanced real time. The advanced real time shows the real time of the future. Malware may request real-time values by querying the OS. On computer systems running Windows®, calls to the function GetSystemTime () may be used to retrieve real-time values. The malware may then check that the accelerated real time indicated by the OS is correct. To match, malware may include accelerated real time in external access requests to the time server. The original response from the time server may include an indication of whether the advanced real time is accurate.

  [45] FIG. 5D is an exemplary sequence performed by DGA detector 704 (FIGS. 3A-3B) that analyzes external access requests including advanced real time according to some embodiments of the present invention. Indicates a step. In step 501, the DGA detector 704 analyzes all external access requests. Next, the DGA detector 704 intercepts the original response to the external access request (step 502), and analyzes the original response (step 503). At step 544, the DGA detector 704 determines if the original answer is a success. If the original answer is successful, the DGA detector 704 then determines whether the request includes the real time advanced (step 546). Such a determination may be made by comparing the time extracted from the analyzed request with the current time value. The comparison may be performed with a desired level of accuracy, for example, by determining whether the date and / or time (but not necessarily minutes / seconds) match. The DGA detector 704 may determine the current time value by querying the operating system running on the computer system. If such an advanced real time is included, the DGA detector 704 determines whether the original response includes the original information that the advanced real time is not accurate (step 547). If the original answer includes the original information that the advanced real time is not accurate, the DGA detector 704 may modify the original information to a corrected information indicating that the advanced real time is correct. The original answer is corrected by substitution (step 548). Next, the DGA detector 704 sends the modified answer to the process that sent the analyzed access request (step 506). If the original answer is not successful, the DGA detector performs the DGA detection step 507 described above.

  [46] At step 545, the original answer to the analyzed request is intercepted (step 545) and analyzed (step 546). In step 547, the DGA detector 704 determines whether the analyzed original answer contains information that the advanced real time determined in step 543 is not accurate. If a positive determination is made in step 547, the DGA detector 704 replaces the information that the advanced real time is incorrect with the information that the advanced real time is accurate, and it is corrected. Generate an answer. The modified answer is then sent to the process that sent the parsed access request.

  [47] FIG. 6 shows the mathematical relationship between true real time 606 and advanced real time 605 when successive answers include true real time. This mathematical relationship may be encoded in the DGA detector by a function that does not depend on the process of issuing the external access request. In one embodiment, real time may be the current time measured on the client system by the OS. The broken line 601 shows the case where the advanced real time is equal to the actual real time. In one embodiment, accelerated real time may be represented by a convex function 603. This may be desirable when it is advantageous to provide an accelerated real time that moves permanently past real time, for example when the process is matched against certain behaviors. In one embodiment, accelerated real time may be represented by a concave function 604. This is advantageous, for example, when the behavior of the process is provided in detail over a certain duration, when it is advantageous to provide an accelerated real time, which is slowed after the duration of movement far beyond the actual real time. When it is desirable. In one embodiment, accelerated real time may be represented by a linear function 602. This may be desirable when the behavior of the process is investigated for the first time without any prior knowledge.

  [48] Various methods may be used to determine whether a process performs DGA. Some methods may analyze the URLs of external sites 714 (FIG. 1), and may use heuristics such as observation that many URLs generated by DGA do not begin with "www". Other methods may be applied to the heuristics to analyze the clarity of the URL being accessed. Still other methods rely on greylisting any external sites registered by the domain registrar within a predetermined current period, eg, the last 24 hours.

  [49] More sophisticated methods for DGA detection may use analysis of the executable code of the suspected process. FIG. 7 illustrates such a method. Such methods rely on the observation that at least some DGA malware are triggered by events that are of a certain known type (such as time, system events, etc.). In a first step 701, a trigger type is selected for analysis. At step 703, the suspected process is performed using the mixed (specific and symbolic) execution while supplying the selected process with the selected trigger type. The selected trigger type input is represented as a symbolic variable. If branches dependent on symbolic variables do not occur in this step, then each step in the mixed execution is performed specifically, otherwise it is performed symbolically. At step 705, all execution paths are determined based on the values of the symbolic variables. At step 707, all possible execution paths are determined. For example, some of the execution paths determined in step 705 may not be feasible because the execution paths require two conflicting trigger values to each other. For example, an unfeasible execution path may include two branches, and if the real-time value is before May 2015, the first branch is triggered and the real-time value is 2015 7 The second branch is triggered if it is after a month. Finally, in step 711, the URLs generated in each possible path are analyzed. The analysis may include correlating the URL with certain trigger types and values. As an example, if 80% or more of the URL is generated in response to changes in the values of only two trigger types, then a determination is made that the suspected process performs DGA.

  [50] The exemplary systems and methods described above enable detecting malware such as DGA-execution botnets. In some embodiments, suspicious processes run on machines separate from machines that intercept and analyze external access requests and answers, and detect DGAs. The separate machines may be different physical computer systems or may be virtual machines hosted on the same physical computer system. All answers are analyzed and the answers, including the actual real time, are corrected. Within the modified answer, the accelerated real time replaces the true real time. Next, the suspicious process is analyzed to determine if the suspicious process performs DGA. By providing accelerated real time, the domain name generated by the DGA can be obtained before the actual time the domain name will be generated.

  [51] In some embodiments, the suspicious process may send an external access request that includes the accelerated real time. This situation may occur when the suspicious process attempts to match the real time obtained from querying the operating system. The investigator may change the real time indicated by the operating system by pointing to the future time. Thus, the real time indicated by the operating system will be the advanced real time. In normal operation, the original response from the external site indicates that the real time advanced is not accurate. The original answer is corrected as the corrected answer indicates that the real time advanced is correct. Next, the suspicious process is analyzed to determine if the suspicious process performs DGA. By providing accelerated real time, the domain name generated by the DGA can be obtained before the actual time the domain name will be generated. This allows the investigator to determine the domain name that the DGA will generate in the future.

  [52] According to some embodiments, when multiple responses sent by the suspect process are received, including real time, how many times to calculate the advanced real time for the corrected response Some mathematical functions may be used. These various functions are desirable when certain frequencies in the generation of domains by DGA are suspected.

  [53] Providing accelerated real time, and thus triggering DGA execution, investigators detect malicious behavior without engaging in the time-consuming effort of reversely analyzing execution code Make it possible to Blacklisting domains generated by DGA allows security application vendors to provide updates to their customers before malware using domain generation algorithms is activated by the malware creator Do. The domain determined to be generated by the DGA may be pre-registered, and botnet members may be identified according to the request received in the registered domain.

  [54] Intercepting, analyzing, and detecting DGA execution outside of a potential DGA malware host offers the advantage of isolating the potential DGA malware host from research tools. Thus, in the presence of anti-malware tools, the risk of malware modifying its behavior is greatly reduced. In addition, such an approach does not require internal real-time changes exhibited by the DGA malware host's OS. To detect DGA malware, investigators may choose the optimal computing environment. In some embodiments, it may be desirable to initiate a suspicious process. In some embodiments, it may be desirable to detect DGA malware from a router or switch that aggregates Internet traffic in an intranet network.

  It will be apparent to those skilled in the art that the above embodiments may be modified in many ways, without departing from the scope of the present invention. Accordingly, the scope of the present invention should be determined by the following claims and their legal equivalents.

Claims (17)

A first computer system comprising at least one memory and at least one associated microprocessor, wherein the microprocessor is configured to perform steps outside a potential domain generation algorithm (DGA) malware host And the steps are
Intercepting the original answer to the first external access request, wherein the first external access request is sent by the potential DGA malware host to the external site;
Whether at least one of the first external access request and the original answer to the first external access request is analyzed, and the original answer to the first external access request includes a real time Determining
Sending a modified answer to the potential DGA malware host, wherein the modified answer is an actual real time included in the original answer, an advanced real time following the original real time A step generated from the original answer by substituting in time;
Intercepting a response indicating that the second access request was not successful in response to the second external access request being sent by the potential DGA malware host; External access requests are sent after the first external access request has been sent,
Determining, in response to intercepting the response indicating that the second access request was not successful, the potential DGA malware host includes malware that executes a domain generation algorithm. First computer system.   The first computer system according to claim 1, wherein the step of analyzing at least one of the first external access request and the original reply to the first external access request comprises: Identifying the address of the time server in the address field of the external access request of the first computer system.   The first computer system according to claim 1, wherein the step of analyzing at least one of the first external access request and the original reply to the first external access request comprises: Analyzing the true response to the external access request to identify a real-time field from a plurality of fields of the true response to the first external access request.   4. The first computer system according to claim 3, wherein the step of identifying the real-time field comprises: contents of the real-time field with non-dependent real-time values determined by the first computer system. A first computer system comprising the step of comparing.   The first computer system of claim 1, wherein the potential DGA malware host is a second computer system that is physically separate from the first computer system. .   The first computer system of claim 1, wherein the potential DGA malware host is a virtual machine hosted by the first computer system.   The first computer system of claim 1, wherein the at least one associated microprocessor determines a domain name generated by the domain generation algorithm, and the domain generation algorithm is performed according to the domain name. A first computer system, further configured to identify a plurality of computer systems suspected of being running.   The first computer system of claim 1, wherein the at least one associated microprocessor is responsive to determining that the potential DGA malware host contains malware that executes the domain generation algorithm. A first computer system, further configured to add the domain name generated by the domain generation algorithm to a blacklist of security applications. A first computer system comprising at least one memory and at least one associated microprocessor, wherein the microprocessor is configured to perform steps outside a potential domain generation algorithm (DGA) malware host And the steps are
Analyzing the first external access request to determine whether the original answer to the first external access request includes an advanced real time, wherein the first external access request is: Sent to an external site by a potential DGA malware host, and
The first original answer to the first external access request is analyzed to determine whether the first original answer includes first information indicating that the advanced real time is not accurate. Step to
Sending a modified answer to the potential DGA malware host, wherein the modified answer indicates the first information is a second information indicating that the advanced real time is correct Generating from the first true answer by replacing
In response to a second external access request being sent by the potential DGA malware host to a second external site, a second true reply indicating that the second access request was not successful The step of intercepting
And, in response to intercepting the second answer, determining that the potential DGA malware host includes malware that executes a domain generation algorithm. A non-transitory computer readable medium having instructions stored thereon, wherein the instructions when executed execute at least one memory of the first computer system and at least one associated microprocessor, a potential domain generation algorithm (DGA) configure the step to run outside the malware host, said step
Intercepting the original answer to the first external access request, wherein the first external access request is sent by the potential DGA malware host to the external site,
Whether at least one of the first external access request and the original answer to the first external access request is analyzed, and the original answer to the first external access request includes a real time Determining
Sending a modified answer to the potential DGA malware host, wherein the modified answer is an actual real time included in the original answer, an advanced real time following the original real time A step generated from the original answer by substituting in time;
Intercepting a response indicating that the second access request was not successful in response to the second external access request being sent by the potential DGA malware host; External access requests are sent after the first external access request has been sent,
Determining, in response to intercepting the response indicating that the second access request was not successful, the potential DGA malware host includes malware that executes a domain generation algorithm. Non-transitory computer readable medium.   The non-transitory computer readable medium according to claim 10, wherein the step of analyzing at least one of the first external access request and the original answer to the first external access request comprises: Non-transitory computer readable medium comprising the step of identifying the address of a time server in the address field of one external access request.   The non-transitory computer readable medium according to claim 10, wherein the step of analyzing at least one of the first external access request and the original answer to the first external access request comprises: A non-transitory computer readable medium comprising analyzing the true response to an external access request and identifying a real time field from a plurality of fields of the true response to the first external access request.   The non-transitory computer readable medium according to claim 12, wherein the step of identifying the real-time field comprises determining the content of the real-time field as a non-dependent real-time value determined by the first computer system. Non-transitory computer readable medium, comprising the steps of:   The non-transitory computer readable medium according to claim 10, wherein the potential DGA malware host is a second computer system that is physically separate from the first computer system. Readable medium.   The non-transitory computer readable medium according to claim 10, wherein the potential DGA malware host is a virtual machine hosted by the first computer system.   The non-transitory computer readable medium according to claim 10, wherein the at least one associated microprocessor determines a domain name generated by the domain generation algorithm, and the domain generation algorithm according to the domain name. A non-transitory computer readable medium further configured to identify a plurality of computer systems suspected of being running.   The non-transitory computer readable medium according to claim 10, wherein the at least one associated microprocessor determines that the potential DGA malware host contains malware that executes the domain generation algorithm. A non-transitory computer readable medium further configured to, in response, add the domain name generated by the domain generation algorithm to the security application blacklist.

Images